Rug Pull & Honeypot Detection: How to Spot Crypto Scams (2026)

Published March 7, 2026 · By JaredFromSubway

The explosive growth of decentralized finance has created unprecedented opportunities for traders and investors — but it has also made crypto one of the most fertile environments for scams. Rug pulls and honeypot tokens collectively account for billions of dollars in losses every year, targeting everyone from first-time buyers to experienced DEX snipers who move too fast without proper token verification. Understanding how these scams work and how to detect them is no longer optional — it is a survival skill in DeFi.

In this guide, JaredFromSubway breaks down the mechanics behind rug pulls and honeypot tokens, walks through the exact methods used to detect them before buying, and explains how automated MEV bots filter out scam tokens at machine speed. Whether you are a manual trader checking tokens before aping in or a bot developer building safety filters into your infrastructure, this is the detection framework you need.

What Is a Rug Pull in Crypto?

A rug pull is a type of crypto scam where the developers of a token project deliberately abandon it after extracting as much value as possible from investors. The term comes from the metaphor of "pulling the rug out" from under someone — the project appears legitimate until the moment the creators disappear with the funds. Rug pulls are most common on decentralized exchanges like Uniswap and PancakeSwap, where anyone can create a token and add liquidity without any vetting process.

The typical rug pull follows a predictable pattern. A developer deploys a new ERC-20 token, creates a liquidity pool on a DEX by pairing it with ETH or a stablecoin, then promotes the token through social media, Telegram groups, and paid influencers. As buyers swap into the token and the price rises, the developer waits for peak hype before executing the exit. The rug pull itself can take many forms, but the result is always the same: investors are left holding tokens that are worth nothing.

What Are the Different Types of Rug Pulls?

Rug pulls fall into two broad categories, each with distinct mechanics and warning signs that traders should understand before interacting with any new token.

Hard Rug Pulls

A hard rug pull involves a malicious function coded directly into the smart contract that allows the developer to steal funds instantly. Common hard rug mechanisms include hidden mint functions that let the owner create unlimited tokens and dump them on the market, backdoor functions that drain the liquidity pool directly, and proxy contracts that can be silently upgraded to introduce malicious logic after the token has been audited. Hard rug pulls are the most devastating because they happen in a single transaction — one moment the pool has liquidity, the next it is completely empty. Understanding these patterns is essential knowledge in smart contract security.

Soft Rug Pulls

A soft rug pull is more subtle. Instead of exploiting a contract vulnerability, the developer simply sells their token holdings gradually over time, crashing the price through sustained selling pressure. The developer may hold a large percentage of the total supply in wallets that are not publicly linked to the project, making the dump appear to come from unrelated holders. Soft rugs are harder to prosecute and harder to detect in real time because there is no single catastrophic event — just a slow bleed that leaves investors underwater.

How Do Honeypot Tokens Work?

A honeypot token is a specific type of scam contract engineered so that buyers can purchase the token but cannot sell it. The contract appears completely normal on the surface — it has a name, a symbol, a liquidity pool, and a rising price chart that looks attractive. But when a holder tries to swap back to ETH or another token, the transaction reverts, fails silently, or incurs a 99% tax that makes selling effectively impossible. The only address that can sell is the deployer's own wallet.

Honeypot mechanics are implemented in several ways. The most common is a modified transfer or approve function that includes a whitelist check. If the sender is not on the whitelist, the transfer reverts. Other honeypots use dynamic tax functions where the sell tax starts at 0% to appear safe, then gets cranked to 99% once enough buyers have entered. Some contracts use a hidden require statement that blocks transfers to DEX router addresses, preventing sells while allowing wallet-to-wallet transfers to pass basic simulation checks.

The sophistication of honeypot contracts has increased dramatically. Modern honeypots may pass basic automated checks by allowing the first few sell transactions to succeed before activating the trap, or by implementing time-based locks that only trigger after a specific block number. This is why static analysis alone is insufficient — effective detection requires actual transaction simulation against the live contract state, which is precisely what JaredFromSubway's token filtering system does before every buy.

How Can You Detect Rug Pulls and Honeypot Tokens?

Detection relies on a combination of on-chain analysis techniques that together paint a comprehensive picture of whether a token is safe to interact with. No single check is sufficient on its own, but together they catch the vast majority of scam tokens.

Contract Source Code Analysis

The first line of defense is examining whether the contract source code is verified on Etherscan or the relevant block explorer. Unverified contracts are an immediate red flag — if the developer is unwilling to publish the source code, there is likely something hidden. For verified contracts, search for dangerous functions like mint, setTax, blacklist, and pause that give the owner power to manipulate trading conditions after deployment.

Liquidity Lock Verification

A locked liquidity pool means the developer cannot withdraw the paired ETH or stablecoins from the DEX pool for a specified period. Legitimate projects lock their liquidity using services like Unicrypt or Team Finance, and the lock can be verified on-chain. If liquidity is not locked, the developer can remove all paired assets at any time, instantly crashing the token price to zero. Always verify the lock duration — a 24-hour lock is nearly as dangerous as no lock at all. Look for locks of at least 6-12 months as a minimum standard.

Ownership Renouncement

When a contract owner calls the renounceOwnership function, they permanently give up the ability to call owner-only functions like minting new tokens, changing taxes, or pausing trading. This is generally a positive signal, but it is not foolproof. Some contracts implement a hidden recovery mechanism that allows the deployer to reclaim ownership after renouncing it. Others use a separate admin address that retains elevated privileges even after the owner role is renounced. Always check whether the contract has additional privileged roles beyond the standard owner.

Tax Function Inspection

Many scam tokens use adjustable buy and sell taxes. A token might launch with a 0% buy tax and 0% sell tax to attract buyers, then the developer increases the sell tax to 99% once enough liquidity has been added by buyers. Check whether the contract includes functions like setFee, updateTax, or setSwapFee that allow the owner to modify the tax rate without any upper bound. Safe contracts either hard-code taxes or cap the maximum at a reasonable level like 5%. Understanding slippage mechanics is also important here, as high taxes function similarly to extreme slippage that drains value from sellers.

What Tools Can You Use to Check for Honeypots and Rug Pulls?

Several free and widely used tools provide automated scam detection for tokens across Ethereum, BSC, and other EVM-compatible chains. These tools are invaluable for manual traders who want to perform quick safety checks before buying.

Token Sniffer analyzes smart contract code for known scam patterns, assigns a risk score based on over 20 detection criteria, and flags contracts that contain hidden minting functions, transfer restrictions, or proxy upgrade capabilities. It also tracks whether the contract matches known scam contract templates that are frequently reused by serial rug pullers.

GoPlus Security API provides programmatic access to token safety data including honeypot status, tax rates, owner privileges, and whether the contract is a proxy. GoPlus is particularly useful for bot developers because its API can be integrated directly into automated trading pipelines, returning safety verdicts in milliseconds. JaredFromSubway's infrastructure queries GoPlus data as one layer of its multi-stage token filtering system.

Honeypot.is performs a live simulation of a buy and sell transaction against the token contract, reporting whether the sell succeeds, what the effective tax rate is, and whether there are any transfer restrictions. This simulation-based approach is more reliable than static code analysis because it catches honeypots that use conditional logic, time-based triggers, or external contract calls to activate their trap.

How Do Sniper Bots Check for Honeypots Before Buying?

Automated sniper bots that target newly launched tokens face a unique challenge: they need to buy within seconds of liquidity being added, but they also need to verify the token is not a honeypot. Moving too slowly means missing the entry; moving too fast without checks means buying an unsellable token. The best sniper bots solve this by running honeypot simulations in parallel with their buy logic.

The simulation process works by forking the current blockchain state locally and executing a test buy followed by a test sell against the forked state. If the sell transaction reverts, the token is flagged as a honeypot and the buy is aborted. If the sell succeeds but returns significantly fewer tokens than expected (indicating a hidden tax), the bot calculates the effective sell tax and only proceeds if it falls within acceptable parameters. This entire simulation runs in under 5 milliseconds on optimized infrastructure, adding negligible latency to the sniping pipeline.

JaredFromSubway's sniping infrastructure goes further by also checking the contract bytecode against a database of known scam contract templates, verifying whether liquidity has been locked, and confirming that ownership has been renounced — all within the same sub-10-millisecond window. This multi-layer approach catches scams that would pass any single detection method alone.

What Are the Biggest Smart Contract Red Flags?

When reviewing a token contract — whether manually on Etherscan or through automated analysis — several patterns should trigger immediate caution. These red flags do not guarantee a token is a scam, but the presence of multiple indicators dramatically increases the probability.

Unverified source code is the most obvious warning sign. Legitimate projects almost always verify their contracts. Hidden onlyOwner functions that can modify transfer behavior post-deployment are extremely dangerous. Contracts that import from non-standard libraries or reference external contracts for transfer validation should be treated with suspicion, as the external contract can be modified independently. Proxy patterns (particularly transparent proxies or UUPS upgradeable contracts) allow the entire contract logic to be swapped out after launch, meaning a contract that appears safe today could become a honeypot tomorrow.

Other critical red flags include: a single wallet holding more than 5% of total supply (potential dump risk), no trading activity from wallets other than the deployer, the contract deployer having previously deployed known scam contracts, liquidity pool tokens not sent to a lock contract or burn address, and the maxTxAmount or maxWalletSize being set to values that restrict normal selling behavior. Understanding these patterns is a core part of smart contract security.

How Do MEV Bots Avoid Honeypot Tokens?

For MEV bots that execute sandwich attacks or arbitrage trades, interacting with a honeypot token would be catastrophic. A bot that buys a token as part of a front-run but cannot sell it in the back-run would lose the entire investment. This is why every serious MEV operation includes comprehensive token safety checks as a hard prerequisite before any trade execution.

JaredFromSubway's token filtering system uses a five-stage verification pipeline. First, the contract bytecode is hashed and compared against a blacklist of known scam contract templates. Second, the contract's function signatures are extracted and checked for dangerous owner-only functions. Third, a simulated buy-and-sell is executed on a local EVM fork to confirm the token can actually be sold and to measure the effective tax. Fourth, the liquidity pool is checked for lock status and minimum liquidity thresholds. Fifth, the deployer address is cross-referenced against a database of known scam deployers. Only tokens that pass all five stages are eligible for trading.

This pipeline executes in under 8 milliseconds and runs on every new token that JaredFromSubway encounters in the mempool. The filtering system is conservative by design — it is better to miss a legitimate trading opportunity than to get trapped in a honeypot. Over time, the blacklist databases grow as new scam patterns are identified, creating an increasingly comprehensive defense that adapts to the evolving landscape of DeFi scams.

Frequently Asked Questions